The evidence suggests yes.

The evidence suggests yes.

The evidence is indeterminate, but this could still be done safely and intuitively.

The evidence is indeterminate, but this could still be done safely and intuitively.

The evidence suggests yes.

The evidence suggests yes.

The evidence suggests yes.

The evidence suggests yes.

The evidence suggests yes.

The evidence is indeterminate, but this could be explored further.

The evidence is indeterminate, but this could be explored further.

The evidence suggests yes.

To consumers, the data requested and the service being delivered are inextricably linked. Bundling of collection and use consents accurately reflects consumers’ mental model of providing access to data for a service. A use consent outlining a clear description of the service also provides consumers with reassurance and clarity to justify the data requested in the collection consent.

If use and collection were required to be granted in separate actions, this would break consumer mental models, resulting in a consent flow that may feel unnecessarily onerous. The separation of these consents may also negatively impact the comprehension that the data collection is needed for the service to operate effectively.

Similarly, 2021 research into disclosure consents suggested that bundling a collection, use, and disclosure consent aligned with consumer mental models where the disclosure consent was essential to the provision of the service. The research focussed on a rental application proposition, where the sole purpose of collecting data was to disclose insights to a real estate agency.

Abiding by the Data Minimisation Principle (DMP) will help make the link between the data requested and use case clear. A clear purpose statement also helps highlight the relevance and importance of the data requested.

Research shows that the Personal Finance Management service was easily understood by participants. Opportunities exist to conduct further research using other use cases or sectors.

Opportunities

Existing requirements could be reviewed to allow collection and use consents to be requested and granted in a single action.

Consumers are open to opting in to additional services at the time of consent if they feel related, relevant and valuable. They expect any additional data requirements to be explicitly stated to allow them to make informed decisions.

Consumers expect additional uses to be presented as opt-in. Opt-in uses may also give consumers faith that the service is not asking for more control or more information than is necessary.

Opportunities

The research supports requests being made for related but non-essential “add-on” uses in a single consent flow, provided they require active selection by the consumer.

Few participants mentioned a desire for control over what data would be shared unprompted. However, when probed during round 2-3 moderated interviews, many did express an interest in this control.

Most consumers were able to infer when data clusters are reasonably needed for the service. They understood that sharing less data would impact the service offering. The absence of control over datasets may have helped consumers draw this connection.

Active selection of datasets may be seen by some consumers as a marker of empowerment and control. This is despite an understanding that the service may be impacted by sharing less data, or that it may only be an illusion of control, where all data sets must be selected before they can proceed.

For others, active selection of data that is essential to the provision of the service is seen as a false choice, and an unnecessary step.

Heuristically, actively selecting required datasets imposes an increased interaction burden on consumers. This increased load may be seen as worthwhile if it leads to better engagement with the information. However, the research indicates that removing the actively select requirement does not meaningfully reduce engagement with data clusters.

Further, technical limitations mean that certain data clusters are a pre-requisite for others (e.g. the Transaction Details cannot be accessed without the Account Balances and Details cluster). This places a burden on consumers to understand technical dependencies and service requirements.

Similar issues have been addressed in other jurisdictions, such as the GDPR. Cookie consents implementations, for example, include the pre-selection and disablement of required permissions, often with a label of ‘Necessary’ or ‘Essential’. This relays the fact that the pre-selected permission is not optional for the service to operate, and as such cannot be de-selected.

Opportunities

To support simplification and informed consent, data clusters that are essential to the provision of a service (that is, the service cannot be delivered without them) could be clearly indicated without the presence of an interactive component, such as a checkbox or toggle.

CDR participants could be allowed (but not required) to do this if the good or service cannot be delivered without the requested data. This would require a reconsideration of existing requirements that prohibit pre-selection and require active selection.

However, where datasets are genuinely optional because they are not essential for the service to function, maintaining existing requirements that prohibit pre-selection would better match consumer expectations and alignment with the DMP.

Allowing optional permissions to be requested alongside ‘essential’ permissions could also be considered (see findings related to multiple use consents being requested in a single flow).

The DMP will factor into understandings of what is ‘essential’ or ‘required’. Consideration could be given to the scope and definition of a “good or service”, and how this might be governed by the DMP.

Further research on consumer control would be beneficial, particularly as the CDR expands to support other sectors, use cases, and the initiation of payments and actions.

Consumer participants thought critically about the link between the service on offer and the consent duration being requested. In the case of the Personal Finance Management service tested in the research, what was considered to be the most appropriate period was heavily influenced by personal circumstances.

Some consumer participants expected that the data recipient would determine the most appropriate duration option for the service.

Others, despite feeling comfortable with the suggested duration, wanted to be able to choose from different duration options.

Opportunities

While some goods and services can offer a range of consent duration options without resulting in a service impact, other use cases may require certain durations to function properly.

Where a specific duration is necessary for a service, data recipients could be allowed to pre-select the duration or specify the duration in text form. This would diverge from the current requirement to choose the period of the consent or actively select whether the consent would apply on a once-off or ongoing basis.

If optionality and flexibility exists, allowing consumers to choose a duration beyond the minimum duration would best support consumer empowerment. Consideration could be given to permitting data recipients to present the minimum required duration as “recommended”. However, allowing any duration to be presented as “recommended” other than the minimum required could mislead consumers.

Further research on minimum access periods for other goods and services would build on insights from the consent review research, which focused on a Personal Finance Management service.

Allowing for control over historic data access durations could be considered in the future, to empower consumers to adjust this depending on their individual circumstances.

Communicating that consent can be withdrawn at any time is important for building trustworthiness and confidence. Consumer participants appreciated this being mentioned at various stages of the consent flow and throughout the consent model, with some stating that this gave them confidence to proceed.

Full withdrawal details in the CDR policy were appreciated. Likewise, withdrawal instructions in the CDR receipt reassured those who felt they may want to withdraw their consent before the end of the consent period.

Consumer participants expected the process for withdrawing consent to be intuitive, easily accessible, and self-service.

Opportunities

The existing withdrawal process largely meets consumer expectations, but certain requirements could be reconsidered.

The requirement to show withdrawal instructions in the consent flow could be removed and provided in the CDR receipt instead.

The requirement to state the consequences of withdrawal up front could instead be reserved for if a consumer decides to exit the consent process, at which point the CDR participant could contextually state the consequences of not proceeding.

Exisiting requirements to include full withdrawal details in the CDR policy and CDR receipt meet consumer expectations. Currently, CDR participants are required to include information provided when obtaining consent as part of their CDR receipt. If requirements for withdrawal instructions and consequences are removed from the consent flow, the CDR receipt requirements could be strengthened to explicitly include these elements.

The data holder dashboard requirement for withdrawal to be no more complicated than the process of giving the authorisation could be expanded to apply equally to consent withdrawals.

CX research has consistently shown the importance of outlining all parties involved in the process who may access the data.

Consumer participants expected transparency around any OSP/intermediary involvement to allow them to make informed decisions about their consent.

Opportunities

Existing requirements could be reviewed to consider a consistent presentation of information relating to sponsors, principals and OSPs alike.

As per the CX Guidelines (Checklist references 1CO.03a.04, 1CO.03b.02, 1CO.03c.12), this could include the name(s), related accreditation number(s), and links to the related CDR policy of any supporting parties.

In other jurisdictions, such as GDPR, data recipients alert consumers periodically if/when supporting parties change. Such updates could be considered for CDR to ensure consumers are informed on an ongoing basis.

Banking data language was easily understood by consumers in both formats. CX research on energy and telco language in 2020 and 2022 showed that some technical terms and jargon were unavoidable.

Opportunities

Flexibility in how data language is presented to consumers would help support different consumer preferences and comprehension of complex terms, which may differ by sector or target market.

The existing CX standards could be amended to explicitly allow flexibility in the format and presentation of the data language standards.

Further research could be conducted to refine CX guidelines on structure and content preferences for different sectors.

The value of 90-day notifications is clear. However, the rigidity of the current requirements for their delivery schedule may result in notification fatigue, particularly as CDR adoption grows.

The lack of detail around notification content means consumer control may be absent. Notifications without an actionable next step can result in frustration and disengagement.

Opportunities

The requirements could be reviewed to allow for flexibility to consolidate notifications. This might include guidance around consolidated notifications timing, to ensure consumer protections are maintained.

Consumer control and empowerment could be improved if CDR requirements specified that 90-day notifications require an actionable step to review active consents.

The requirements may consider allowing CDR participants the flexibility to deliver notifications via different channels, depending on the urgency or sensitivity of the notification.

CX research suggested that CDR receipts play an important role for informed consent and consent management.

The level of information provided in the research was broadly seen as sufficient and aligned with expectations, though some participants desired more detail.

Opportunities

Existing requirements could be revised to explicitly state what information to include in the CDR receipt. The specifications for a CDR receipt could be drawn from the artefact that tested successfully in CX research.

CDR receipts can continue to act as a record of the data sharing arrangement, with links to additional information (such as the CDR policy) as appropriate. This is especially important if critical information provided in the consent flow is reduced or only accessible upon-click.

Information relating to withdrawing consent was regarded as valuable. The research findings suggested that consumer expectations and control could be supported by providing the full details of a consumer’s right to withdraw, including instructions for how they can do so, in the CDR receipt.

CDR receipts provide a point-in-time record of the consent given. This record is valued by consumers and expected by many. The CDR receipt provides another trust-marker for participants to feel reassured about their data sharing arrangement.

Opportunities

Further research could be conducted to understand consumer appetite for CDR receipts when providing multiple consents in quick succession.

Initial evidence suggests that in circumstances where a consumer has only a single once-off consent, a dashboard may not be necessary and a CDR receipt may suffice.

To assure consumers that their data is no longer accessed, greater importance and value is seen in notifying them in writing that their consent has expired, as per Rule 4.18(3).

Opportunities

Initial evidence suggests that there may be merit in reviewing the need for once-off consent dashboards, but preliminary analysis suggests that the use cases supported by this change would be limited in scope.

If once-off dashboards are reconsidered, it would be prudent to emphasise other means of managing and withdrawing consent, such as the CDR receipt or, in the case of withdrawal or record access, using a simple alternative method of communication.

Further research on consumer dashboards for once-off sharing and analysis of downstream impacts is recommended.

Research evidence to-date highlights that while consumers are open to their data being de-identified and used to help improve services, their understanding of the risks and consequences of de-identification is low.

A deletion by default approach, which requires consumers to expressly opt in to de-identification and retention of their data, would better align with consumer expectations. A deletion by default approach would also better protect consumers who may not understand the risks, by not automatically enrolling them in a system they don’t fully understand.

While some consumers are happy to have their data de-identified, particularly to help improve products and services, others would prefer to have their data deleted. The ability to make a selection that aligns with their preferences would better empower consumers and provide them with control.

Current requirements stipulate that ADRs who de-identify and retain redundant data must provide consumers with the option to elect to have their data deleted instead. However, research indicated that consumers have an expectation that their data would be deleted by default, and that any de-identification and retention of their data should require them to explicitly opt in. A deletion by default approach, with a request for a de-identification consent could improve consumers’ trust in CDR participants’ handling of their data.

The requirements for requesting a de-identification consent are similar, but differ slightly, from those for de-identification of redundant data. The potential interactions between consumer elections to have their redundant data deleted, and separately granting de-identification consents are complex and likely to lead to confusion. Consolidating these two separate requirements and processes could simplify consent processes, the rules, and compliance.

Findings from this research strongly align with de-identification and deletion findings from Phase 3 research.

Opportunities

Existing requirements should be reviewed. A policy position of deletion by default should be strongly considered to improve consumer empowerment and control, facilitate informed consent, and better align with consumer expectations.

Consumers should still be able to expressly opt-in to their data being de-identified. This election could apply regardless of the data being redundant.

Allowing consumers to make granular selections when opting in to de-identification could improve consumer trust and empowerment. This granular control could allow consumers to opt in to uses they feel comfortable with, and not consent to those they don’t.

An introduction of granular control should be balanced against increased cognitive and interaction load to reduce the risk of consent fatigue.